Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the properties API endpoint. An attacker can access and retrieve the complete list of configurable metadata definitions by sending requests as an authenticated backend user without explicit...

EUVD-2024-0338

Malicious code in bioql PyPI...

EUVD-2024-0388

Malicious code in bioql PyPI...

EUVD-2024-0490

Malicious code in bioql PyPI...

CVE-2023-37280

Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This...

CVE-2023-47636

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure FPD vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the loadfile within a SQL Injection query to view the page...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the reset password link sent through the Forgot Password functionality. An attacker can determine valid user accounts by observing error messages that disclose whether an account exists. Remediation Upgrade...

CVE-2025-24980 Pimcore Admin Classic Bundle allows user enumeration

pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version...

CVE-2024-25625

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in pimcore/admin-ui-classic-bundle prior to version 1.3.4. The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController,...

CVE-2024-23646

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic...

PT-2024-35962 · Ibexa · Ibexa Admin Ui Bundle

Name of the Vulnerable Software and Affected Versions: Ibexa Admin UI Bundle versions prior to 4.6.14 Description: A Cross-Site Scripting XSS vulnerability has been found in the Content name pattern mechanism of the Ibexa Admin UI Bundle. This issue can be exploited if an attacker has Content edi...

Cross-site Request Forgery (CSRF)

sylius/admin-bundle is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the absence of a CSRF token requirement in several administrative actions, such as marking orders payments as completed or refunded, and marking product reviews as accepted or rejected. This flaws...

Cross-site Scripting (XSS)

sonata-project/admin-bundle is vulnerable to cross-site scripting XSS attacks. The library does not properly escape item.label in function templateResult in sonatatypemodelautocomplete.html.twig, allowing a malicious user to inject and execute arbitrary web scripts...